ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

telegram-voice-mode

语音回复模式。使用 /voiceMode 切换语音回复模式。 开启后所有回复自动转换为语音发送,关闭后恢复文字回复。 支持 Telegram、iMessage 等渠道的语音消息发送。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 377 · 0 current installs · 0 all-time installs
byWonderChen@JianGuoPaPa
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim multi-channel voice replies; code and SKILL.md rely specifically on the OpenClaw CLI and a workspace edge-tts script. The skill hardcodes a default Telegram ID (5500262186) labeled as a specific person, which is not justified by the generic 'voice mode' purpose.
!
Instruction Scope
Runtime instructions and scripts create files under /tmp and copy to ~/.openclaw/workspace/voice.mp3 and then invoke 'openclaw message send' to deliver media. This will cause the agent to send messages using whatever account the OpenClaw CLI is configured with — combined with the hardcoded default target, it can automatically send audio to an external recipient without additional confirmation.
Install Mechanism
No remote downloads or install steps; the skill is instruction-only with local JS scripts. Nothing is fetched from unknown URLs or extracted to disk by an installer.
!
Credentials
No declared env vars or credentials, but the code implicitly requires: (1) the OpenClaw CLI to be installed and authenticated (so the skill can send messages), and (2) an edge-tts script at ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. These implicit dependencies and the hardcoded Telegram ID are not proportionately justified by the description.
Persistence & Privilege
always is false and the skill does not modify other skills' configs. It does, however, write to ~/.openclaw/workspace/voice.mp3 (workspace area) and depends on another skill's files; this cross-skill coupling increases the blast radius if misused but does not itself request elevated platform privileges.
Scan Findings in Context
[child_process-spawn] expected: The scripts use spawn to run node (to invoke the edge-tts converter) and to invoke the 'openclaw' CLI; this is expected for a local TTS + send workflow.
[hardcoded-target-telegram-id] unexpected: scripts/voice-send.js contains a hardcoded DEFAULT_TARGET = '5500262186'. A generic 'voice-mode' skill should not hardcode an external recipient; this could cause unintended messages.
[cross-skill-path-reference] unexpected: Both scripts expect an edge-tts converter at ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. Implicitly relying on another skill's file path is fragile and could be used to trigger or misuse files belonging to other skills.
What to consider before installing
Before installing: inspect and, if needed, remove the hardcoded DEFAULT_TARGET from scripts; ensure you understand which OpenClaw account the 'openclaw' CLI will use (it will send messages using that account) and test in a safe environment to avoid sending audio to external users. Confirm the edge-tts converter exists in the expected path or modify the script to use an explicit, audited TTS implementation. If you don't want automatic sending, require explicit confirmation or remove the auto-send CLI call. If unsure, run these scripts in a sandboxed account or review them line-by-line with someone who understands your OpenClaw messaging configuration.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97dd3m548qddn9zqs2gam6pkh82cjra

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Voice Reply Skill

功能

  1. 语音模式切换 - 使用 /voiceMode 命令切换
  2. 语音自动发送 - 开启后回复自动转为语音发送

指令

/voiceMode

切换语音回复模式:

  • 开启:所有回复自动转换为中文女声语音发送(只发语音,不发文字)
  • 关闭:恢复普通文字回复

/voice status

查看当前语音模式状态

工作流程

语音模式开启时

  1. 捕获回复内容
  2. 使用 edge-tts 生成语音
  3. 发送到用户渠道(只发语音,不发文字)

语音模式关闭时

  1. 正常发送文字回复

一键发送脚本

voice-send.js

快速生成语音并发送到 Telegram:

node scripts/voice-send.js "要发送的文字" [telegram_id]

示例:

node scripts/voice-send.js "你好呀!" 5500262186

工作流程(自动)

  1. 生成语音文件 -> /tmp/voice-reply/voice_xxx.mp3
  2. 复制到 ~/.openclaw/workspace/voice.mp3
  3. 使用 openclaw message 发送

技术细节

  • 语音生成: edge-tts
  • 默认语音: zh-CN-XiaoxiaoNeural(中文女声)
  • 输出目录: /tmp/voice-reply/
  • 文件格式: MP3
  • 支持渠道: Telegram, iMessage, Discord 等

状态管理

当前模式由 agent 自行维护在会话上下文中。

重要提示

  • 语音模式下:只发语音,不发文字
  • 文字模式下:正常文字回复
  • 切换命令:/voiceMode

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…